Pentesting with a Raspberry Pi!

For years now I have been a huge proponent of the Raspberry Pi.  I started with a Raspberry Pi 2, which required a USB WiFi dongle for wireless, to a Raspberry Pi 3b with onboard WiFi.  Later I would get a pair of Raspberry Pi Zero W’s, and finally, this past summer, the newly released Raspberry Pi4, with 4GB of RAM and 64bit ARM.

Intro

Pi’s have always been marketed as a small, affordable, credit card sized, turn key micro computer.  Their relatively small size and well supported hardware accessories have made it a great choice for mobile penetration testing, and a host of supported operating systems.  Fortunately, Kali Linux is one of those systems, and a great choice for setting up not only a mobile pentesting system, but also one at your desk if you can’t afford a more expensive PC.

The Raspberry Pi4 model I use is the 4GB version.  It specs out with:

  1. Quad Core Cortex-A72 ARM v8 64-bit processor @ 1.5GHz
  2. 4GB LPDDR4-2400 SDRAM
  3. 2.4 and 5GHz 802.11ac wireless, and Bluetooth 5.0
  4. Gigabit Ethernet
  5. 2 USB 3.0 ports and 2 2.0 ports
  6. 2x micro-HDMI ports

There are also 1GB and 2GB versions for slightly lesser prices, however there is a world of difference made with that extra RAM, and well worth the extra $20 if you can afford it.  Many kits are also available for the Raspberry Pi, with my favorite being from CanaKit, which includes a complete starter kit, with a Pi4, 32GB Micro SD Card, Case and fan, power supply, HDMI cable, and Power cable.  This kit runs $99, and can be found here on Amazon.  Alternatively, you can also choose to piece together your own kit.

 Setup

Please note that the following guide is directed to Windows users, however, many of the following steps apply generally to Linux and Mac users. 

Getting started with Kali Linux on the Pi4 begins with a visit to Offensive Security’s Kali Linux ARM Images Page to get the latest version of Kali Linux for the Pi4 (at this moment, 2019.4).  You’ll find a host of different images here, but the one we need is under RASPBERRY PI FOUNDATION.  You will want the image that has 64-Bit (as of current, Kali Linux Raspberry Pi 2 (v1.2), 3 and 4 64-Bit).  Click the link to download it to your PC (alternatively, you can choose to Torrent it, however I don’t).  Please note that Offensive Security regularly updates their OS images, and the available images will very likely be different in the future.

Once the file is downloaded, you will need to use your favorite extracting tool to extract the .xz file.  I use 7 Zip, which can be found here, however, you can choose to use any you wish.  Simply extract the folder to a location of your choice.  You will need a Disk Imager to write your extracted image to your SD card.  I recommend Balena Etcher for this, which can be found here.  Once you have a Disk Imager, insert the SD card in to your computer, open Etcher, select the image, choose your SD Card (you may have to format it first), and select Flash!

You will receive a system sound when the flash is complete, at which time you can remove the SD card.  Insert the card into the Pi4, and start it up!

Setting Up Kali Linux on Raspberry Pi4

Once your Pi4 has booted up, you should have a log in screen.  By default, the username is root, and password is toor.  Log in, and you should see a desktop screen similar to below.

First and foremost, you will want to open a terminal, and run an apt-get update followed by an apt-get upgrade in order to get the most recent updates. You’ll notice after exploring a bit that there aren’t many programs available for Kali on the Pi by default.  In order to keep the size of the image minimal, Offensive Security ships their disk images with a minimal amount of tools necessary.  A visit to the Metapackages page offers a substantial list of packages that can be installed, however.  I recommend the following packages:

  • kali-tools-web
  • kali-tools-social-engineering
  • offsec-pwk
  • kali-tools-exploitation

You will notice that not all of the tools are actually downloaded to your Raspberry Pi.  Some of the tools, such as Burp Suite, have been removed from the supported dependencies list.  However, other tools, such as OWASP ZAP, are included, and can be substituted if necessary.

You may also run in to some issues while installing or using your Raspberry Pi4 with Kali Linux.  The major issues I have discovered include:

  • Issues with the Date/Time/Calendar
    • Sometimes an issue occurs where the calendar does not update it’s time.  In order to remedy this, use dpkg-reconfigure tzdata in a terminal and select your applicable options
    • On occasion, your Date/Time/Calendar will present with odd characters or foreign languages.  If you are a US based user, use the following to correct this issue
      • echo ‘export LC_ALL=en_US.UTF-8’>>.bashrc
      • source .bashrc
      • reboot now
      • If you are based outside the US, you will need to determine your localization data and encoding information and enter it accordingly
  • OWASP ZAP has a single color screen when opening
    • This is due to a version issue using Java
    • Install Java 8
      • apt-get install openjdk-8-jdk openjdk-8-jre
      • update-alternatives –config java
        • Select the version that includes Java version 8

What Next?

At this point you should have a functional penetration testing platform on your Raspberry Pi4.  I recommend that you remove the SD card, insert it into your PC, and use a tool such as Win32DiskImager to create an image of your SD card.  This is similar to creating snapshots of your Virtual Machines in Virtualbox or VMWare, and important should you discover an error or issue in your Kali image.  Having this cloned image available will save you hours of time should you run in to a critical error, and prevent you from having to reinstall thousands of files, dependencies, and programs.

After you have created your backup, it’s time to play around.  Naturally, everything you ever touch as a penetration tester you MUST have permission from the owner.  From there, if you are looking for professional education as the first step of your penetration testing journey, check out eLearnSecurity’s Penetration Test Student course here. If you want a more informal, lower cost alternative, I recommend checking out my friend Heath Adams’ course on Youtube, Zero-to-Hero, or his course on Udemy, Practical Ethical Hacking – The Complete Course.

Conclusion

A Raspberry Pi is an incredibly affordable and easy way to get started with penetration testing that is affordable and fairly straightforward, but not without limitations.  A lack of straightforward Burp Suite installation can be an issue if you do web penetration testing, but can be overcome with OWASP ZAP, netcat, etc.  The lack of a Graphics card can limit some resource intensive processes, as can the nature of the Pi4 itself.

However, if you’re looking to get started on a budget, or simply tinker around with a different machine and experience, then the Pi4 with Kali Linux is for you.

Tags:
Viewing 0 reply threads
  • Author
    Posts
    • #174740
      dievus
      Participant

      For years now I have been a huge proponent of the Raspberry Pi.  I started with a Raspberry Pi 2, which required a USB WiFi dongle for wireless, to a Raspberry Pi 3b with onboard WiFi.  Later I would get a pair of Raspberry Pi Zero W’s, and finally, this past summer, the newly released Raspberry Pi4, with 4GB of RAM and 64bit ARM.

      [See the full article at: Pentesting with a Raspberry Pi!]

Viewing 0 reply threads
  • The forum ‘Community Articles’ is closed to new topics and replies.

Copyright ©2020 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?